VGS corporate lawyers
London

+44 2039665531

Milan

+39 0250043613

  • Home
  • Who we are
  • Practice Areas
    • Company law
      • Setting up a company in Italy
      • Corporate governance
      • Bankruptcy
    • Debt Recovery & Credit Collection
    • Arbitration and Mediation
    • Contracts
      • Acquisition Finance
    • White collar crimes
    • Data protection and GDPR
  • People
    • Avv. Valentina Giarrusso
    • Avv. Flavia Di Pilla
    • Avv. Silvia Pellegrini
    • Avv. Giuseppe Ganci
    • Avv. Valentina Improta
    • Dr. Fabrizio Di Patti
    • Avv. Salvatore Fasciana
    • Dr. Yasine Ajlane
  • News & Blog

General Data Protection Regulation: one year later. Penalties and fines approach undertaken by Data Protection Authorities

  • by VGS' Editorial Board
  • 3 June 2019
  • Comments (0)

The GDPR has contributed to change the global perception of personal data. The new European Regulation is still forcing undertakings and institutions to be compliant. In this context, Data Protection Authorities (“DPA”) are performing an important guidance role in terms of sanctions and penalties imposed to data controllers and processors. 

DPAs approach has been reasonable and pondered. In fact, according to the GDPR, sanctions must be effective, proportionate and dissuasive (art.83, 1). The sanction system also includes corrective and monitoring powers in the light of DPAs task of promoting public awareness and conduction investigations over the application of the Regulation.

For instance, DPAs are able to:

  1. Issue warnings to controller and processor in the context of dangerous processing activities;
  2. Order the data controller and processor to comply with the data subject’s request;
  3. Order the data controller to communicate the data breach to the data subject;
  4. Impose a temporary limitation or ban on data processing of a certain controller or processor;
  5. Impose an administrative fine;
  6. Suspend the transfer of personal data in a third country or international organisation.

Important to notice, the proportionate approach of DPAs is helpful to avoid the paradigm according to which any personal data infringement leads to a pecuniary sanction. In this context, European DPAs shall cooperate promoting a harmonised approach to administrative fines. In such context, article 29 Working Party announced pecuniary fines should not be intended as last resort sanctions. Administrative-pecuniary sanctions shall be imposed by appropriate manners ensuring their efficacy. In conclusion, both excessive penalties as well as mild sanctions might be detrimental for the data protection framework.

In determining the sanction to impose, the DPA has to take in consideration how many data subjects are involved, the legal basis for processing, the extent of the damage and the likely risks for data subjects’ rights and freedoms. 

Moreover, administrative fines depend on the circumstances of each individual case. The DPA shall give due regard to

  1. The intentional or negligent character of the infringement;
  2. Any action taken by the controller or processor to mitigate the risk;
  3. The degree of responsibility of the controller or processor;
  4. The category of personal data affected;
  5. The degree of cooperation with the supervisory authority with the intent of remedy the infringement.

Under these circumstances, we are going to analyse European DPAs decision in order to highlight decision criteria and most likely infringements occurred in certain type of business and contexts. In fact, also politics and religious dimensions may bring to GDPR infringements as happened in Italy with Rousseau platform used by Five Stars Movement. 

In conclusion, the analysis and comment of sanction imposed by DPAs might be helpful to figure out how to tailor a robust Data Protection dimension for your own business avoiding standard policies or, even worse, privacy documents generator.

For further information please contact us or leave your contact details in the Contact Form and you will be contacted within 24 hours.

Author: Salvatore Fasciana

  • GDPR
  • Share:
Previous Article: Sole shareholder and liability under Italian Law
Next Article Modern challenges in personal data protection: Big Data and Artificial Intelligence

Practice Areas

  • Company law
  • Debt Recovery & Credit Collection
  • Arbitration and Mediation
  • Contracts
  • White collar crimes
  • Data protection and GDPR

Free Consultation

    Tags

    Airbnb Arbitration Artificial Intelligence Auditing Brexit Company Law Company Shares Consent Contracts Cookies Copyright Coronavirus Data DataProcessing Data Protection DPO European Union Eviction Free Title GDPR HealtData HouseHold Agreements Islamic Law Italian Bankruptcy Law Italian Company Law Italian Corporate Law Italian Criminal Law Italian Debt Recovery Italian Entry Visa Italian Intellectual Property Law Italian Legal Advice Italian Privacy Italian Tax Legal guide MedialTreatment Mediation Partnership Patient Personal Data Privacy Processing Research Startup Warranty White Collar Crimes

    Social Links

    • Facebook
    • Instagram
    • LinkedIn

    See also:

    VGS Lawyers

    VGS - Family Lawyers

    © Copyright 2021 | VGS Corporate Lawyers | All right reserved.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy